I have an ASP.Net MVC 3 page in which I have an Html.TextAreaFor control, see code below. If I try to submit the page to the http post action with text in angle brackets like: <test>
, I get a yellow error screen saying:
A potentially dangerous Request.Form value was detected from the client (RequestText="").
I don't understand why I am getting this because I found an article by Scott Guthrie that says the new <%: %>
syntax in .Net 4, will automatically HtmlEncode the element. Since I'm using the <%: %> syntax for the Html.TextAreaFor control, I thought it would automatically take care of this and convert the angle brackets to the proper "<"; and ">" strings.
<% using (Html.BeginForm())
{ %>
<%: Html.ValidationSummary() %>
<h2>Enter a description of the support needed</h2>
<%: Html.TextAreaFor( m => m.RequestText, 4, 90, null) %>
<input type="submit" value="Submit" />
<% } %>
Basically right now, you're encoding the content of the TextAreaFor
on the output. This doesn't help you in the slightest since you're trying to deal with input
If you want to submit "potentially dangerous" content, you need to either
1) decorate the RequestText
property within your ViewModel with [AllowHtml]
. (preferred)
[AllowHtml]
public string RequestText { get; set; }
2) disable validateRequest
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpRuntime requestValidationMode="2.0" />
</system.web>
Then you must ensure you're appropriately sanitizing that data and/or encoding it in your controller before submitting it to your Repository Layer or Database.